I do use AI tools while developing this project, but I also have a BSc in Computer Science. AI is a productivity tool.

Security is something I take seriously, especially since the project deals with health data. All code has test and you're welcome to inspect the repository yourself or point out any specific security concerns if you notice them.

Regarding licensing: the AGPL license applies to the project as a whole regardless of the tools used to write parts of the code.

If you have concrete technical feedback or security issues, I’d genuinely appreciate it.

Ovumcy isn’t trying to replace them. The idea here is to explore a self-hosted, web-based approach that focuses on running the app on infrastructure you control, with simple deployment and cross-device access through the browser.

Different tools optimize for different things. Native apps like Drip or Mensinator are great for fully local tracking, while Ovumcy explores a self-hosted model that can be accessed from multiple devices without relying on a third-party service.

I use Android, my wife - iOS. So many things that on F-Droid are simply unavailable to her (yes, I tried to convince her to go to our side). So I searched for living projects with self-hosting idea, did not find one and decided to create one. I have a CS background, though my professional work today is mostly in finance as a senior analyst where I write code to automate and optimize workflows. Ovumcy started as a personal project exploring a self-hosted approach to cycle tracking.

It is a greap project, mine is not a replacement, but a little bit different approach. It's a self-hosted web application that you run on infrastructure you control and access from multiple devices. In Drip you can export or import data, but this step is a payment for privacy. Mine offers privacy but from a different perspective.

Thanks for the suggestions, those are good points.

CSP is something I plan to tighten over time, but enabling a strict policy right now would require refactoring some inline JS patterns used in the templates. It’s definitely on the roadmap as part of security hardening.

Regarding CORS, the application currently runs as a same-origin server-rendered app rather than a cross-origin API, so CORS headers aren’t enabled by default. If external clients or integrations are added in the future, I’d likely introduce a restricted allowlist for specific API routes.

Partially agree, but I do know how to code and use it as a tool.

As a non-native speaker, I had to use LLM to get that joke)

No, we didn’t ship it without security hardening.

We already hardened the main sensitive parts:

sealed auth/recovery/reset/flash cookies no auth or recovery secrets in URLs or JSON POST + CSRF logout basic browser security headers CodeQL, gosec, Trivy, and SBOM in CI What’s still missing is a strict CSP. That’s not a one-line switch here because the current frontend still needs some refactoring first.

The benefit over a purely local app is mainly cross-device access and easier syncing/backups, while still avoiding a third-party service storing your data.

Worth to say, that this is an ongoing development, this is not even version 1, v 0.3.1

Thanks, this is really useful feedback.

The reminder part is already on the roadmap, and I’ve now added two more issues based on your note about irregular cycles:

• #17 Add irregularity factor tags for cycle tracking
• #18 Use recorded cycle factors to improve prediction context

The direction I’d want for Ovumcy is less “the app predicts the why” and more:

• users can log things like stress, illness, travel, sleep disruption, etc.
• the app can use that to give better context and reliability hints for irregular cycles
• without pretending to make hard medical claims

The anonymous scrubbed-submission idea is interesting too, but I’d treat that as much later, because it changes the privacy/trust model a lot.

Happy to keep talking about it, and future PRs would definitely be welcome.

Appreciate that!

I see that we face it all over the world now.

Well, not stealing, being inspired)

No-no, you run your VPS and deploy it there. So you define your storage, it can be homeVPS

I agree, though there is a difference in case you rovided and mine. It is a human-directed work. Thousands of libraries, Kubernetes, Kubernetes still live and license is valid.

I answered earlier, that I use AI and this is just a commit skill for an agent.

CSP is released.

Thank you! I am aware of it, but mine is slightly diffrent approaches to the privacy, allowing to access from multiple devices.

I like the naming:) and is there any chance to restore access to your account? It looks like it might have a future.